This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.
Passord expires validation implementation:
https://review.openstack.org/333360
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.
implements bp domain-config-as-stable
Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
"Shadow users: unified identity" implementation:
Allow concrete role assignments for federated users. Currently,
federated users get roles from mapped group assignments. However, with
the shadow users implementation, federated users are mapped to
identities in the backend; thus, can be assigned roles.
This patch returns locally assigned roles with the mapped group roles
for federated users; allowing for authorization for those roles.
bp shadow-users-newton
Change-Id: I9a150ded6c4b556627147d2671be15d6a3794ba5
When using list_limit configuration option in Default section of
keystone.conf, the /services?name=<service_name> API fails to find
the service if list_limit value is smaller than the total number
of services and the searched service is not among the first
'list_limit' services. The API should first filter by name and
only afterwards truncate the result list.
Also, this patch fixes setting the 'truncated' attribute of the
driver's hint.limit object when truncating the list outside of
driver_hints.truncated decorator, problem exposed by fixing the
problem described in the first paragraph.
Closes-Bug: #1594482
Change-Id: I832f542c3cb0faf94a1e5bce5a894f7f4d26a8de
revoke_by_expiration is only useful if a token does not have an
audit_id or audit_chain_id. tokens always have an audit ID, so
this function seems redundant. it was also deprecated in the
J release, with no timeline for its removal
Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b
bp: removed-as-of-newton
Since only the memcache backends (that are being removed) use the
kvs system in keystone now, this can be safely deprecated.
Change-Id: I395e66bc957465df0f38ccfc3c48900e1b3a3320
bp: deprecated-as-of-newton
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.
Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
this has been deprecated for 2 releases and can now be removed.
implements bp: removed-as-of-newton
Change-Id: I9a7b225d15953cec3f597a04c45020aff0bd60a8
list SPs currently doesn't support to filter records by any
attributes, but this is used somewhere, such as OpenStack
Client using `name` to filter the record.
SP doesn't has `name` attribute but has `id`, `enabled`
attributes instead.
This patch enables the filtering of Service Provider based
on `id`, `enabled` attributes so that OpenStack Client or the
CURL query can benefit from it.
based off of: Ib672ba759d26bdd0eecd48451994b3451fb8648a
Closes-Bug: 1555830
Change-Id: Icdecaa44415786397ee8bb22de16d25cb8fe603a
Removed info that's internal to keystone and therefore not relevant
to deployers.
Consistent references to config option names. `` should be used for
literal string values, not references.
Change-Id: Ia7e11683ed3ae7f19fe6680848bdcbaed954f424
When a user is added or removed from a group we should emit a notification. The
notification has group as the resource type and the group ID as the
resource ID. The notification also includes the user, user ID, and the
operation that was done ('removed' or 'added').
This way consumers are notified of user and group memberships.
Change-Id: I93ca3a0cb2fe9b93f5370e5871be1f1b30d87f72
Closes-Bug: 1552639
There should be no reason to leave these settings disabled by default.
By enabling them, keystones runs faster and consumes fewer resources.
Change-Id: I9f8d27b1f6dba19067f38e940632dcf3420c2bfa
The reason db_sync needed to create the default domain is because we
needed a domain for existing v2 users. Since the migrations don't
add the domain_id to users anymore there's no need to create the
default domain.
DocImpact -- The install guide should be updated to say to use
keystone-manage bootstrap or to create the default domain if the
deployment is going to support v2.
Change-Id: I65860fe989ac2456b73bcc12fd02643564b24574
Support TOTP as a distinct authentication mechanism from Password.
bp totp-auth
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: Ic0ccf89b9f35d3167a413b10f43be43cf892aead
The LDAP backend supports mapping between LDAP and keystone user
attributes via the 'user_<attribute_name>_attribute' settings in the
LDAP driver configuration.
The current implementation is incomplete, since there is no support for
specifying a 'user_description_attribute' setting for user get (read)
operations.
This change adds support to the LDAP backend for mapping of user
description attributes via a 'user_description_attribute' configuration
also during user retrieval.
Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6
Closes-Bug: #1542417
Building on the support for domain specific roles, this final
patch in the series adjusts the policy rules for grants using
domain specific roles in the v3cloudsample.
In addition, a release note is provide for the domain specifc
role functionality.
Implements: blueprint domain-specific-roles
Change-Id: I941611237ddd48cb87337bcebd61cfda52479f87
We allowed 'tenant_id' in catalog substitutions. The 'tenant' term is
deprecated in favor of 'project'. Also allow 'project_id' so that
users can stop using the deprecated term in one more place.
Change-Id: I4bcfbda1b542f09172f5b53185f063c6bea27205
The assigment.root_role config option was previously a single string
which specified a role name that was prohibited from being added as an
implied role. By default it was 'admin'. For greater flexibility we
now permit a list of role names that are prohibited from being
implied.
Summary of changes:
* Change assigment.root_role from cfg.StrOpt to cfg.ListOpt.
ListOpt is preferred over MultiStrOpt because of config file formatting.
Update help for option.
* Change assigment.root_role name to assignment.prohibited_implied_role
* Change test for implied role name from string equality to
membership in list of strings.
* Expand ImpliedRolesTests.test_root_role_as_implied_role_forbidden()
unit test to test 2 prohibited implied role names and 1 valid
implied. role name.
Change-Id: Idfe14080e2f1ec1e89b85d8f5f00aad187f1fd22
Closes-Bug: #1541540
Signed-off-by: John Dennis <jdennis@redhat.com>
The AuthContextMiddleware shouldn't be re-implementing the
AdminTokenAuthMiddleware but using the request environment
context setting that the admin token middleware sets up.
This makes it so that admin token handling is in one place
rather than duplicating it and allows for an alternative
implementation of the admin token middleware.
The old behavior is left in place as deprecated to be removed
in a future release.
ReleaseNotesImpact
- The paste.ini file is changed to put the admin token
middleware first so that the auth context middleware can use
the results. It's deprecated to have the admin token
middleware after the auth context middleware.
Closes-Bug: 1473553
Change-Id: I658213699ac4af0abd08f893d9cf18ef0af5827d
Deprecate the admin_token_auth middleware in favor of using
keystone-manage bootstrap
Change-Id: Ib4ca153af2855911f9261081e7e442dfbc28f652
bp: deprecated-as-of-mitaka
bp: bootstrap
Previously to issue GET /project a user needed
at least project_admin level of permission. With
this change, a user can issue GET /project by just
having a role on the project.
Change-Id: I9d23edc22eb88d0b21ab8968dfbe63661220a6fd
Closes-Bug: 1535878
The release note says it isn't possible to *obtain* a trust scoped
token with v2.0 anymore. However it was never possible anyways.
It should say it isn't possible to *validate* a trust scoped token
against v2.0 anymore. This patch fixes this.
Change-Id: I71d1f60c3d54b18cdbeb3047bc860c7906a42d48
If the UUID token provider is configured, it is possible to use trusts to
authenticate against the version 2.0 API. The fernet token provider doesn't
support trust authentication against the v2.0 API. Trusts were never supported
in version 2.0 and it is recommend that trusts are used exclusively with
version 3.
This commit makes this behavior with trusts and v2.0 consistent regardless of
the configured token provider. It is also a step to getting fernet to be the
default token provider in Keystone.
Change-Id: Ia02850d1aec304eccccb4752c43767272047b74e
Since the keystone.auth.plugins.saml2:Saml2 plugin is just a
wrapper for keystone.auth.plugins.mapped:Mapped there is no
need for it (log deprecation for now).
Change-Id: If82554f1e132c92c6fc707da6bdecba11e35620e
bp: deprecated-as-of-mitaka
This change was raised as a nit in the original review. The original
language implies that the option is only used once. The examples show
that the option is used for each notification to ignore.
Change-Id: I9b76757630a77e04b4ae6ae49da9f9bb8b80954d
only support db schema upgrades from kilo onwards
a few notes for reviewers...
* 052 and 063 were not ported over since they negated each other
* 066 was not ported over since it just changed existing data
* 067 was not ported over since it this was clean up from 062
* removed the downgrade block from 067
Change-Id: I07539920eed15290b6036906e34805a0f175a07a
Closes-Bug: 1541092
This patch will allow certain notifications for events in
Keystone to be opted out. Opting out may be a desired way of
doing this since most keystone deployers will likely like
to by default have all audit traces.
Change-Id: I86caf6e5f25cdd76121881813167c2144bf1d051
Closes-Bug: 1519210
with PKI deprecated, we should also deprecate this command
bp: deprecated-as-of-mitaka
Closes-Bug: 1541201
Change-Id: If0600fc52084d1bb2acaadb05d858e4b69ff48eb
With the enahnced list_role_assignment manager method we have
already removed most of the duplication of inheritance logic when
listing roles. However, for federated operations there was a
class of query focused around assignments that derive from the
set of groups (i.e. those a federation user is given membership
of) that was not supported by list_role_assignments.
This patch adds that support, removes the duplicative
driver methods and re-implements the manager methods to call
list_role_assignments.
Implements: blueprint assignment-manager-cleanup
Change-Id: I9d76878963b178ec474b0c89be2ad2024bdd10d5
Some comments that needed to be addressed in [0]
- Add a negative test
- Fix reno note
[0] I0a1cc986b8a35aeafe567e5e7fee6eeb848ae113
Change-Id: Ibbdf2c321a9b2c8c8b7955521536a992bc475aba
At the previous summit, we decided to deprecate write support for
idenity LPAP. It'll be removed in 2 releases. Several config
options were affected, and those operations should now have
deprecation warnings.
implements bp: deprecated-as-of-mitaka
Change-Id: I1e989d6c5e85ba303609c7bb36116a8bdedce9e4
The PKI and PKIz drivers are now deprecated, but one of the
config options that only works for PKI has not been deprecated.
implements bp: deprecated-as-of-mitaka
Change-Id: I55d5fb2a2678dccd8638b0460921ba6f8e76da6a
Mark the memcache and memcache_pool token persistence backends
deprecated in favor of using the fernet token (no-persistence
needed) backend.
This is only deprecating the token persistence backends and does
not affect the cache layer.
implements bp deprecated-as-of-mitaka
Change-Id: I552774f95bc246f7f013350f5b11ae4ae482bdc5
Ronald De Rose
Brad Topol
Roxana Gherle
Steve Martinelli
Morgan Fainberg
Steve Martinelli
Alexander Makarov
Boris Bobrov
Doug Hellmann
Brant Knudson
Lance Bragstad
Henry Nash
Dolph Mathews
David Stanek
werner mendizabal
Rudolf Vriend
Adam Young
John Dennis
Ajaya Agrawal
Samuel de Medeiros Queiroz
Tom Cocozzello
Fernando Diaz